Data Security & Privacy Client Alert – March 2017

On March 1, 2017, the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation went into effect. 23 N.Y.C.R.R. 500 (the “Cybersecurity Regulation”). Some portions of the Cybersecurity Regulation must be complied with by the end of the summer – August 28.

The Cybersecurity Regulation is directed to those operating under, or required to operate under, New York Banking Law, Insurance Law and/or Financial Services Law (“Covered Entities”), but it has ripple effects beyond these businesses.

The goal of the Cybersecurity Regulation is to protect the financial services industry from cybersecurity threats by requiring Covered Entities to have cybersecurity programs in place to protect their information technology systems and various confidential and sensitive information. Specifically, the Cybersecurity Regulation requires a Covered Entity to assess its risk profile and develop certain standards and practices to protect its information technology systems, as well as the non-public information those entities may have, such as business-sensitive information, personal identifiable information of customers and consumers and others, and health condition and services information (collectively, “NPI”).

The Cybersecurity Regulation also requires Covered Entities to have a cybersecurity program in place to address the particular risks applicable to a Covered Entity, engage in various risk assessment activities, and evaluate third party providers, which are those who maintain, process or otherwise permit access to NPI through its services to Covered Entities (“Third Party Providers”). By February 15, 2018, Covered Entities will have to certify compliance with the Cybersecurity Regulation, although due to its depth, some portions of the Regulation have grace periods in which Covered Entities have to comply

Ripple Effects of the Cybersecurity Regulation

Although only Covered Entities are subject to the Cybersecurity Regulation, the regulation requires Covered Entities to make inquiries of their Third Party Providers’ information security practices. Thus, just as Covered Entities are taking steps to comply with the Cybersecurity Regulation, Third Party Providers with access to a Covered Entity’s NPI are preparing themselves for the inquiries that Covered Entities will make to them about their own cybersecurity and information security practices.

Three Things to Consider Doing Now

Confirm you have or are in the process of developing a cybersecurity program. Covered Entities should review existing policies and enhance such policies, if needed, or create new program materials. This review (and potential enhancement) process requires collaboration by a Covered Entity’s and Third Party Provider’s information technology, management and legal professionals. Covered Entities need to identify a Chief Information Security Officer to oversee the cybersecurity program, which requires training, risk assessments, multi-factor authentication, data encryption, and other data security measures and practices. A cybersecurity program also requires an incident response plan that the Covered Entity will use to respond to a cybersecurity event. Such response includes notification to the DFS within 72 hours of determination that a cybersecurity event has occurred requiring notice under the law, or has a reasonable likelihood of materially harming any material part of the normal operations. Much of the cybersecurity program must be in effect by August 28, 2017.

Put cybersecurity topics on the board of directors’ or other governing body’s agenda. The Cybersecurity Regulation is requiring board and management involvement in discussions about cybersecurity and cybersecurity risk assessments. Leadership should therefore assist in the cybersecurity program development and understand their role in the program.

Review vendor relationships and vendor management programs. In response to the Cybersecurity Regulation, Covered Entities will be making inquiries of their Third Party Providers’ security practices. Covered Entities should discuss the approach and method in doing so with information technology and legal departments. Third Party Providers should consider how they will respond to these inquiries by looking at their own cybersecurity and information security policies and practices.

There are a lot of moving parts with the Cybersecurity Regulation. To determine where to start, contact Phillips Lytle’s Data Security & Privacy Practice Team. The team has first-hand experience in assisting Covered Entities and Third Party Providers in responding to the requirements imposed by the Cybersecurity Regulation. We have helped evaluate practices and reviewed and enhanced cybersecurity and incident response policies of both Covered Entities and Third Party Providers.

Phillips Lytle is uniquely situated to provide legal advice and services in this area because its Data Security & Privacy Practice Team is comprised of former technology business owners who have hands-on experience dealing with issues and concerns related to cybersecurity matters – from data breach prevention practices to on-the-ground breach response, and then interfacing with the government and responding to litigation in connection with any data breach. The firm also has a long history of being a premier financial services law firm, a reputation built on decades of successful representation of major commercial, savings and foreign banks, trust companies, finance companies, credit unions, and various other types of financial institutions and insurance companies.

Even if you are currently working with consultants to develop a cybersecurity program, the policies and procedures should be reviewed by legal counsel to ensure compliance with the Cybersecurity Regulation and other regulations and laws to help avoid inquiries or possible enforcement actions.